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Abstract. The Ambient Logic (AL) has been proposed for expressing properties of pro- 
cess mobility in the calculus of Mobile Ambients (MA) , and as a basis for query languages 
on semistructured data. 

In this paper, we study the expressiveness of AL. We define formulas for capabilities 
and for communication in MA. We also derive some formulas that capture finitess of a 
term, name occurrences and persistence. We study extensions of the calculus involving 
more complex forms of communications, and we define characteristic formulas for the 
equivalence induced by the logic on a subcalculus of MA. This subcalculus is defined by 
imposing an image-finiteness condition on the reducts of a MA process. 
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1. Introduction 

The Ambient Logic, AL, ^CG00 j is a modal logic for expressing properties of processes 
in the calculus of Mobile Ambients, MA CGOSa (.'( '■!)!) . In MA the unit of movement is an 
ambient, which, intuitively, is a named location. An ambient may contain other ambients, 
and capabilities, which determine the ambient movements. The primitives for movement 
allow: an ambient to enter a sibling ambient; an ambient to exit the parent ambient; a 
process to dissolve an ambient boundary. MA has a replication operator to make a process 
persistent, that is, to make infinite copies of the process available. 

An ambient can be thought of as a labelled tree. The sibling relation on subtrees 
represents spatial contiguity; the subtree relation represents spatial nesting. A label may 
represent an ambient name or a capability; moreover, a replication tag on labels indicates 
the resources that are persistent. 1 The trees are unordered: the order of the children of a 

def 

node is not important. As an example, the process P = !a[in c] | open a. b[0] is represented 
by the tree: 

la y' \^open a 
in c I b I 

The replication \a indicates that the resource a[in c] is persistent: unboundedly many such 
ambients can be spawned. By contrast, open a is ephemeral: it can open only one ambient. 

Syntactically, each tree is finite. Semantically, however, due to replications, a tree is an 
infinite object. As a consequence, the temporal developments of a tree can be quite rich. 
The process P above (we freely switch between processes and their tree representation) has 
only one reduction, to in c | !a[in c] | b[0]. However, the process !a[in c] | !open a. 6[0] can 
evolve into any process of the form 

in c | ... | in c | b[0] \ ... \ b[0] | !a[in c] | !open a. b[0] . 
In general, a tree may have an infinite temporal branching, that is, it can evolve into an 
infinite number of trees, possibly quite different from each other (for instance, pairwise 
behaviourally unrelated). Technically, this means that the trees are not image- finite. 

In summary, MA is a calculus of dynamically-evolving unordered edge-labelled trees, 
and AL is a logic for reasoning on such trees. The actual definition of satisfaction of the 
formulas of AL is given on MA processes quotiented by a relation of structural congruence, 

^We are using a tree representation different from that of Cardelli and Gordon, but more convenient to 
our purposes. 
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which equates processes with the same tree representation. (This relation is similar to 
Milner's structural congruence for the 7r-calculus Mil99 .) 

AL has also been advocated as a foundation of query languages for semistructured 
data |Car01| . Here, the laws of the logic are used to describe query rewriting rules and query 
optimisations. This line of work exploits the similarities between dynamically-evolving edge- 
labelled trees and standard models of semistructured data. 

AL has a connective that talks about time, that is, how processes can evolve: the 
formula O A is satisfied by those processes with a future in which A holds. The logic has 
also connectives that talk about space, that is, the shape of the edge-labelled trees that 
describe process distributions: the formula n[A] is satisfied by ambients named n whose 
content satisfies A (read on trees: n[A] is satisfied by the trees whose root has just a 
single edge n leading to a subtree that satisfies .4); the formula A\ \ A2 is satisfied by 
the processes that can be decomposed into parallel components Pi and P% where each P{ 
satisfies Ai (read on trees: A\ \ A2 is satisfied by the trees that are the juxtaposition of two 
trees that respectively satisfy the formulas A\ and A2); the formula is satisfied by the 
terminated process (on trees: is satisfied by the tree consisting of just the root node). 

AL is quite different from standard modal logics. First, such logics do not talk about 
space. Secondly, they have more precise temporal connectives. The only temporal connec- 
tive of AL talks about the many-step evolution of a system on its own. In standard modal 
logics, by contrast, the temporal connectives also talk about the potential interactions be- 
tween a process and its environment. For instance, in the Hennessy-Milner logic JHM85 , 
the temporal modality (fi)-A is satisfied by the processes that can perform the action \i and 
become a process that satisfies A. The action /i can be a reduction, but also an input or 
an output. The lack of temporal connectives in the ambient logic is particularly significant 
because in MA interaction between a process and its environment can take several forms, 
originated by the communication and the movement primitives. (There are 9 such forms; 
they appear as labels of transitions in a purely SOS semantics of MA CG98b, LSOO .) 

This paper is essentially devoted to the study of the expressiveness of AL. The results we 
present show that AL is actually a very expressive formalism. In particular, we are able to 
derive formulas expressing capabilities of processes for movement and for communication, 
as well as the persistence of processes (as given by the replication operator), and free 
occurrences of names in processes. The ability to derive such constructions is surprising, 
considering that there is no connective in the logic that is directly related to such properties: 
no construct mentions the capabilities of the calculus, nor does the logic include infinitary 
operators, or operators that talk about resources with infinite multiplicity. 

Our results are established using nontrivial technical developments, and the methods 
we exploit are of interest in their own. More precisely, the general approach to derive 
expressiveness formulas is to exploit adjunct connectives to introduce a form of contextual 
reasoning, together with the temporal modality to make it possible to observe the desired 
properties. It can be noted that related constructions have been introduced in the setting of 
Separation Logic Rey02| in order to express weakest preconditions for pointer manipulation 



instructions in an imperative language. 

The expressive power of AL that we thus prove has several consequences. The first 
consequence is that we are able to define characteristic formulas for image-finite Ambi- 
ent processes, i.e., formulas that capture the equivalence class of a process with respect 
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to the induced logical equivalence. This is in contrast with usual results in modal log- 
ics. Typically, the definition of characteristic formulas exploits fixed-point operators, and 
the characterised processes are finite-state [U386I I5l94j . As mentioned above, AL has no 
fixed-point operator; moreover the image-finiteness condition on processes is weaker than 
finite-state. ('Image-finite' expresses finiteness on internal reductions, whereas 'finite-state' 
also takes into account computations containing visible actions such as input and output 
actions.) 

Another major consequence of our results is to show that AL is an intensional logic. 
Informally, this holds because the logic allows one to inspect the structure of processes, 
not only by separating subcomponents of a process, but also by capturing its interaction 
capabilities. More formally, intensionality of the Ambient Logic is expressed by showing 
that the equivalence induced by the logic coincides with structural congruence on processes. 
This result, that is established using the constructions we have discussed above (and, in 
particular, characteristic formulas), says that AL is a very fine grained logic. 

Structure of the paper. Section |2] introduces the calculus and the logic we study in this pa- 
per. Sections El and 0] present two main contributions in terms of expressiveness of AL: we 
define some formulas capturing respectively some syntactical constructions of the calculus 
(capabilities for movement and communication) and some nontrivial properties of processes 
(finiteness, occurrences of free names, and persistence). In Section we exploit these con- 
structions to define characteristic formulas for logical equivalence. Intensional bisimilarity, 
which, for the purposes of the present work, is a technical device that is needed to reason 
about characteristic formulas, is presented in Subsection 15. II The proofs of the main prop- 
erties enjoyed by intensional bisimilarity are not provided, and can be found in a companion 
paper |HLS05| . Finally, in Section we study extensions of the calculus we work with, and 
show our results can be adapted to the corresponding settings. 

The results of this paper come from the two conference papers |San01| and |HLS 02 : in 
SanOl], the author presented the encoding of the modalities for capabilities and communica- 
tions (Sections |31 and El) and the definition of intensional bisimilarity, whereas the formulas 
capturing finiteness, name occurrence, and persistence (Section 0} and the characteristic 
formulas (Section |5J) come from HLS02 . This paper focuses on the expressiveness results 
coming from these two conference papers, whereas a companion paper |HLE05| presents the 
separability results. 

Developments. By the time the writing of the present paper was completed, a few works 
have appeared that make use of results or methods presented here. We discuss them below. 

The 'contextual games' we have discussed above have been exploited in several set- 
tings. Along the lines of the derivation of formulas capturing Mobile Ambients capabili- 
ties, HLS03 extends and develops this line of research in the setting of a sub-logic of AL, 
that is applied to reason about MA and 7r-calculus processes. Other interesting properties 
can be derived using this approach. An example is quantifiers elimination |CL04| . An- 
other study |Hirfl4j demonstrates that in some sense, contextual games represent the logical 
counterpart of 'contextual testing' as in barbed equivalence JSW01 . 

Our expressiveness results also allow us to bring to light redundancies in spatial logics 
for concurrency. For example, an operator to express occurrences of free names in processes 
is analysed in related works |CG01l IHLS03j . In the setting of the present work, such an 
operator is encodable in AL. 
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7 J 

n, k, . . .n,m 


Names 




Processes 


V 


Names U Variables 


P,Q,R ::= 


(nil) 






I p 1 Q 


(parallel) 




Expressions 


\p 


( replication ) 


M,N ::= cap 


( capability ) 


M.P 


(prefixing) 






r,[P] 


(ambient) 




Capabilities 


M 


(message) 


cap ::= in?? 


( enter) 


(x) P 


(abstraction) 



out 77 (exit) 
open 7/ (open) 

Table 1: The syntax of finite MA 



This kind of encodability results allow one to compare different versions of spatial logics 
for concurrency, and are useful to assess minimality properties of the logics. 

2. Background 

This section collects the necessary background for this paper. It includes the MA 
calculus |UG98aj (semantic and syntax), and the Ambient Logic CGOO . 

2.1. Syntax of Mobile Ambients. We recall here the syntax of MA CG98a] (we some- 
times call this calculus the Ambient calculus). We first consider the calculus in which only 
names, not capabilities, can be communicated; this allows us to work in an untyped calculus. 
We analyse extensions of the calculus in Section 

As in |OG001 TCar991 ICG04| . the calculus has no restriction operator for creating new 
names. The restriction- free calculus has a more direct correspondence with edge-labelled 
trees and semistructured data. 

Table ^ shows the syntax. Both the set of names and that of variables are infinite. 
Letters n, m, h range over names, x, y, z over variables; r\ ranges over names and variables. 
The expressions in 77, out 77, and open r\ are the capabilities, and are ranged over using 
cap. Messages and abstractions are the input/output (I/O) primitives. The metavariables 
M, N, for messages, will become usefull when considering extensions of the language (see 
Section EJ). A closed process has no free variables. We ignore syntactic differences due to 
alpha conversion, and we write P{ n /x} for the result of substituting x with n in P. In the 
paper, all definitions and results are given only for closed processes, unless otherwise stated. 

Given an integer n > 0, we will write Pi, (1 < i < n) for a (finite) sequence of processes 
P 1 , • • • , Pn ■ 

Processes having the same internal structure are identified. This is expressed by means 
of the structural congruence relation, =, the smallest congruence such that: 
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open n.P | n[Q] — > P \ Q P nfinm.Pi | P 2 ] I m[Q] — > m[n[Pi | P 2 ] \ Q] 

P — > P' 

Red-Dut — 7— = r— t Red-Amb 



m[n[outm. P x \ P 2 ] \ Q] — ► n[Pi | P 2 ] I m[Q] n[P] — ► n[P' 

P — > P' 

Red-Corn — , — , - Red-Par 



{M} \{x)P — ► P{M/x} P\Q^P'\Q 
p = pi pi > pii pn — pin 



P — ► P'" 
Table 2: The rules for reduction 



Red-Str 



P | = P P\Q = Q\P P\{Q\R) = (P\Q)\R 

IP = \P | P !0 = !(P | Q) = \P\\Q UP = IP 

As a consequence of results in |DZ00| . that studies a richer calculus than the one we 
study, we have: 

Theorem 2.1. The relation = is decidable. □ 
The two following syntactic notions will be useful below. 

Definition 2.1 (Finite and single processes). 

• A closed process P is finite if there exists a process P' with no occurrence of the 
replication operator such that P = P'. 

• A closed process P is single if there exists P' such that either P = cap. P' for some 
cap, or P = n[P'] for some n, or P = (x)P for some x. 

Unless otherwise stated, all results and definitions we state in the sequel are on closed 
terms. 



2.2. Operational Semantics. The operational semantics of the calculus is given by a 
reduction relation — defined by the rules presented in Table 12.21 The reflexive and 
transitive closure of — ► is written =X 

Lemma 2.2. If P — > Q then there is a derivation of the reduction in which Red-Str is 
applied, if at all, only as the last rule. □ 

Lemma 12 . 21 shows that every reduction P — ► P' has a normalised derivation proof. As 
a consequence, we have: 

Lemma 2.3. If P — ► Q then either 

(1) P = R\ m[n[outm. Pi | P 2 ] \ P3} andQ = R\ n[P x \ P 2 ] \ m[P 3 ], or 

(2) P = R \ n[\nm. P 1 \ P 2 ] \ m[P 3 ] and Q = R \ m[n[P x \ P 2 ] \ P 3 ], or 

(3) P = R\ open n. Pi | n[P 2 ] andQ = R\P 1 \ P 2 , or 
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V 



T 


(true) 




(negation) 


Av B 


(disjunction) 


Vi. A 


(universal quantification over names) 


OA 


(sometime) 





(void) 


V [A] 


( edge) 


A | B 


(composition) 


A@T] 


(localisation ) 


A> B 


( guarantee ) 



Table 3: The syntax of logical formulas 



(4) P = R\ {n} | (x) Pi andQ = R\ Pi{ n /x}, or 

(5) P = R\ n[Pi], Q = R\ n[Qi] and P 1 — ► Q x . □ 

We now introduce some forms of labelled transitions that we will use to give the inter- 
pretation of some of our logical constructions. 

Definition 2.2 (Labelled transitions). Let P be a closed process. We write: 



p _g pi ^ wnere cap is a capability, if P = cap. Pi | Pi and P' = P\\ P; 



2- 



• P H P' if P ee {n} I P'. 



?r. 



P ^4 P' if P ee (x) Pi I P 2 and P' ee Pi{"/r} | P 2 . 
P =^=> P', where fj, is one of the above labels, if P A ==>- P' (where ==> ==>■ 
is relation composition). 

(stuttering) P ( cap i' cap ^) if there is i > 1 and processes Pi, . . . , Pj with P = P\ 
and P' = Pi such that P r =^ P r +i for all 1 < r < i. 

Finally, ==>■ is a convenient notation for compacting statements involving capability 

, ... w , (in n ) (out n,in n)*, . , (out n) . (in n,out n)*, 

transitions. We let => stand for s =^=^; similarly ==> is =======>; 

(open n) . 

and => is ==>. 



2.3. The Ambient Logic. The logic has the propositional connectives, T, —*A, A V B, 
and universal quantification on names, Vx. A, with the standard logical interpretation. The 
temporal connective, OA has been discussed in the introduction. The spatial connectives, 0, 
A | B, and rj[A], are the logical counterpart of the corresponding constructions on processes. 
A\>B and A@rj are the logical adjuncts of A \ B and i][A] respectively, in the sense of being 
roughly their 'contextual inverse', as expressed in Definition 12.31 below. 

The logic in CGOO has also a somewhere connective, that holds of a process containing, 
at some arbitrary level of nesting of ambients, an ambient whose content satisfies A. We do 
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not consider this connective in the paper because we find it less fundamental than the other 
operators; in any case, its addition would not affect the results in the paper and has been 
seldomly considered in other works. (Further, we discuss in the final section a "strong" 
version of the sometimes modality.) 

Definition 2.3 (Satisfaction). The satisfaction relation between closed processes and closed 
formulas, written P \= A, is defined as follows: 

P \= T = f always true 

P \= V x . A = for any n, P \= A{n/x} 

P\=^A = notP^.4 

P\=Ai | A 2 = 3P 1 ,P 2 s.t. P = P 1 \P 2 and Pi \=Ai, i = l,2 

P^AvB = P^Aoi P^B 

p |= n [A] = 3P' s.t. P = n[P'\ and P' \= A 

P \= d = P = 

P |= OA d = 3P' s.t. P^P' and P< \= A 
p |= A@n = f n[P] \= A 
P^A>B d = Vi?, R\= A implies P \ R \= B 
By definition, satisfaction is closed by structural congruence: 
Lemma 2.4. If P = Q and P \= A, then also Q \= A. □ 

We give V and A the least syntactic precedence, thus Ai\>A 2 A ^,3 reads („4i 0.4.2) A 
^3, and Ai>(OA 2 A O^) reads ^4iD>((0^2) A (0^.3)). We shall use the dual of some 
connectives, namely the duals of linear implication (A>B), of the sometime modality (OA), 
of the parallel operator (||), and the standard duals of universal quantification (3 x . A) and 
disjunction (A A B); we also define (classical) implication (.4 — > B): 

A A B d = -.(-..4 V ->B) DA = -.O-.^ A -> B = ^Av B 

3x.A= ^x.^A A>B = l ^(A>^B) ± -.T 

Thus P \= A+-B iff there exists Q with Q \= A and P \ Q \= B, and P \= a A iff P' |= 4. 
for all P' such that P P'. 

We now define the induced equivalence between processes induced by the logic: 

Definition 2.4 (Logical equivalence). For processes P and Q, we write P=lQ if f° r an y 
closed formula A it holds that P |= A iff Q |= A. 



3. Formulas for capabilities and communications 



In this section, we show that we can capture at a logical level prefixes of the language, 
both for movement and for communication. 
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3.1. Preliminary formulas: counting components and comparing names. We start 
by recalling some formulas from |CG00| that will be useful for some constructions presented 
below. 

The Ambient Logic allows one to count the number of parallel components of a process. 
The formula below is true of a process that has exactly one parallel component that is 
different from 0. 

lcomp d =^(^0 | -.0) A^O 



Lemma 3.1. It holds that P (= lcomp iff P is single. □ 
Similarly we define 

2comp *F lcomp | lcomp 

We may impose a given formula A to be satisfied by all single parallel components of 
a process, using the following definitions: 

A" d ^ f ^A | T) 
A u = (lcomp ^„4) v 

Lemma 3.2. 

• P \= A^ iff for any Q, R such that P = Q \ R, it holds that Q \= A. 

• P \= A u iff all single parallel components of P satisfy A. □ 

We shall use later the following derived formula, from CGOC j], that expresses equality 
between names: 



m = n = (n[T])@m 



Lemma 3.3. P \= m = n iff names m and n are equal. □ 



3.2. Formulas for capabilities. The two formulas below are true of a process that is 
(structurally congruent to) an ambient and (to) an empty ambient, respectively. 



lamb 


def 


3 x . 


x[T] 


lambO 


def 


3 x 


x[0] 



Lemma 3.4. 

• P (= lamb iff P = n[Q], for some n and Q. 

• P \= lambO iff P = n[0], for some n. □ 
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To help understanding the definitions of the capability formulas, we first discuss some 
simpler formulas, which do not talk about the process underneath the prefix. We define, 
for names n ^ h: 

((open n» d = n[h[0}} > O (h[0] | T) 
A lcomp 
A -i lamb 

((out n)) d = (O (h[T\ | n[0]))@n@h 
A lcomp 
A -i lamb 

It holds that P \= ((open n)) iff P = open n. P' for some P' . We sketch the proof. The 
sub-formula lcomp A -> lamb says that P is single and is not an ambient. Thus, modulo 
=, process P can only be 0, open m. P', \r\m.P', outm.P', (x) P' , or {m}, for some m. 
The sub-formula n[/i[0]] D> O (h[0\ | T) says that P \ n[h[0\] can reduce to a process with 
an empty ambient h at the outermost level. Prom these requirements, we conclude that 
P = open n. P', for some P'. 

Similarly we prove that P \= ((out n}} iff P = outn.P', for some P' . By the sub- 
formula lcomp A -i lamb, process P is single and is not an ambient. By the sub-formula 
(O {h[T] \ n[0}))@n@h, 

n[h[P]] |= O (h[T] | n[0]) 

hence P = outn. P', for some P', otherwise h[P] could not exit n. 

To obtain the full capability formulas we add some quantification on names. Formula 
((open n)). A is thus defined as follows: 

Vy.n[y[0]] > O (y[0] | A) 
A lcomp 
A -i lamb 

3x. yy.x[y[0}} >O(y[0] | T) 
A lcomp 
A -i lamb 

Remark 3.1 (Formulas containing free variables). It will often be the case in the remainder 
of the paper that we define a formula involving a name, say n, and need the corresponding 
logical construction where a variable x is used instead of n. For instance, the formula 
lopen above could be defined clS clS 3 X . ((open x)).T", which is not correct because 
((open n)). A has been defined but ((open x)). A has not. In the sequel, when clear from the 
context, we shall allow ourselves to adopt nevertheless this abuse of notation, that should 
be understood as 'rewrite the definition of the corresponding formula using x instead of 
n' (see in particular the formulas to capture name reception, and their interpretation, in 
Lemma In. 151 and characteristic formulas for input guarded processes in Section Ell- 
Satisfaction being defined only between closed processes and closed formulas, the im- 
portant point in doing so is to avoid reasoning about the satisfaction of formulas containing 
free variables: we shall therefore only write formulas containing an l x' under the scope of a 
variable quantification. 



((open n)).A 



lopen 



clef 



def 
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Lemma 3.5. P \= ((open n)).A iff P = open n. P' , for some P' such that P' => P" and 
P" h A. 

P \= lopen iff P = open n. P' for some n and P' . 

Proof. We only consider the first property, from which the second follows easily. The im- 
plication from right to left is easy. 

For the reverse implication, we set 

G = n[h[0\] > O (h[0] | A) 

where h n(P). Since P \= lcomp, we have P = Q, for some Q that is not a parallel 
composition. Since also P \= -> lamb, we infer that Q is not an ambient. Finally since P \= G, 
process Q cannot be of the form 0, in n. Q' , out n. Q', (x) Q',{p}- For the same reason, Q 
cannot be a prefix open m. Q' with m ^ n. The only possibility left is Q = openn. Q', for 
some Q'. 

Moreover, we have 

n[h[0]] | open n. Q' => R and R \= h[0] \ A 
for some R. The first step of this reduction must be 

n[h[0]] | openn.Q' — ► h[0] \ Q' 
(up to =). Since h is fresh, h[0] cannot interact with Q'. Hence 

R = h[0] | Q" 

for some Q" such that Q' => Q" . □ 

Along the lines of our construction for the open prefix, we can define characteristic 
formulas for the in and out prefixes. 



((out n)).A d = Vs. ((O (x[A\ | n[0]))@n<! 



-IT 



A lcomp 
A -i lamb 
lout ^ f 3 x . ((out x) 



(in n)) J d = Vi.((n[0]>On[i[>l]])9i) 
A lcomp 



A -i lamb 
lin = f 3 x . ((in x)) 



Lemma 3.6. P \= ((out n)).A iff P = outn.P', for some P' such that P' (in n '° ut n) UP" 
and P" \= A. 

Proof. Similar to the proof for the open prefix. The formula lcomp A -> lamb forces P to 
be single and not an ambient. Therefore P = Q, for some Q whose outermost operator is 
not a parallel composition or an ambient. Then we should have 

n[h[Q}\ (= O (h[A\ | n[0]) 
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This can only happen if Q is of the form outn. Q', for some Q' such that Q' n < out n ) ^ qii 
and Q" \=A. □ 

Lemma 3.7. P \= ((in n)).A iff P = in n. P' , for some P' such that P' ^° ut > P" and 

P" h A. 

Proof. Similar to the previous proofs. The formula lcomp A -i lamb forces P to be single 
and not an ambient. Therefore P = Q, for some Q whose outermost operator is not a 
parallel composition or an ambient. Then we should have 

h[Q] | n[0] H O n[h[A]] 

where h is fresh. As by previous arguments, this can only happen if Q is of the form in n. Q', 
and Q' reduces (with suttering) to Q" satisfying A. □ 

Given a capability cap, we may define the 'necessity' version of the 'possibility' formulas 
we have just introduced as follows: 



[cap]. .4 Q ^ ((cap)). T A -.((cap)).^4 

Lemma 3.8. For any capability cap, formula A and term P, P \= [cap]. .4 iff there is P' 
such that P = cap. P' , and, for any P" such that P' ^$ P" , P" \= A. 

Note that necessity formulas are not the dual of the possibility formulas, as in standard 
modal logics, because of the spatial aspects of AL. For instance, [in nJ.T does not have the 
same interpretation as -i ((in n)). —iT, the latter being actually equivalent to T. 

Remark 3.2. We could think of deriving formulas for modalities as in standard modal 
logics for concurrency |HM85| . instead of capturing the syntactical prefixes corresponding 
to a capability cap. More precisely, we could look for a formula ((cap)) .4 capturing processes 
P for which there is P' such that P =^ P' and P' (= A. It turns out that spatial logics are 
more intensional, and make actions more difficult to express than connectives. In particular, 
we do not know how to express directly a modality corresponding to action °^^. n 



3.3. Formulas for communication. The first step to characterise I/O processes (i.e., 
messages or abstractions) is to get rid of other possible constructs for single terms, as 
follows: 



lcomm = lcomp A -i lamb A -i lopen A -> lout A -i lin 



Lemma 3.9. P (= lcomm iff (P = {p} or P = (x) P'), for some p and P'. 

The following formula, that holds of a process that is the parallel composition of two 
I/O processes, will also be useful: 

_ def I 

2comm = lcomm lcomm. 
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The difficult part, however, is the definition of the I/O formulas for separating mes- 
sages from abstractions, and also, within the messages and the abstractions, messages with 
different contents and abstractions with different behaviours. 

The capability formulas are easier to define than the I/O formulas because capabilities 
act on ambients, and the logic has a connective, n[A], for talking about ambients. By 
contrast, the I/O primitives act on themselves. To define the I/O formulas, we proceed as 
follows: 

(1) We define a formula, TestComm, that characterises the special abstraction (x) x[0]. 

(2) We use TestComm to define the formula for messages: 

3~s n \ = f lcomm A (TestComm D> O n[0]) 

It holds that P (= T {n] iff P = {n}. 

(3) We then use J~{ n } to define the formulas for abstractions: 

((In)). A = f lcomm A (-. 3 x . F {x} ) A (F {n} > O A) 
It holds that P \= ((In)). A iff P = (x) Q and {n} | P => P' with P> \= A. 
Lemma 3.10. Given (x) R, suppose there is q such that 

{q} | (x) R \= □(2comm V lambO) 
and R contains no abstractions. Then R = rj[0], for some n. 

We call ambient abstraction any closed abstraction described by the following grammar: 

P ::= (x) n[0] \ (x) ({r?} | P) 
The following lemma shows how to characterise ambient abstractions using formulas. 
Lemma 3.11. Given an abstraction (x) R, suppose there is q such that 

{q} \(x)R\= □(2comm V lambO) (3.1) 

and 

{q} | (x) R (= O lambO. (3.2) 
Then (x) R is an ambient abstraction. 

Proof. By induction on the number of nested abstractions in R. If this number is then by 
Lemma I3.1UI we derive R = rj[0]. 

Suppose the number is greater than 0. Prom (|3.1|) and 

{q} | (x) R — > R{l/x} 

we derive 

R{q/x} \= 2comm V lambO 
Since R should contain an abstraction, the formula lambO is not satisfied, hence 

R{q/x} \= 2comm 

Using this, the fact that R{l/x} should contain an abstraction, and (|3.2j) we infer that 

R{ q/ x} = {p} | (y) Q 

for some p,y,Q. By induction hypothesis, we deduce that (y)Q is an ambient abstraction. 
From this, R{Q/x} is an ambient abstraction too, and this induces that R itself is an ambient 
abstraction. □ 
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We say that an ambient abstraction P is simple if P =p (x) x[0], where =p is the least 
congruence that is closed under the rule 

{M} \{x)P = P{ M /x} . 

We recall that the operator used in the following lemma, has been introduced at the 
end of Section [21 

Lemma 3.12. Suppose (x) Q is an ambient abstraction, and 

(x) Q \= lcomm ► O n[0] 
(x) Q (= lcomm ► O m[0] 

with m 7^ n. Then (x) Q is simple. 

Proof. Prom the hypothesis, there are p and q such that 

M \(x)Q\=0 n[0] and 
{q} \(x)Q\=0 m[0) . 

If (x) Q were not simple, then the name of the ambient to which it reduces to would not 
depend on the argument x. (Note that any ambient abstraction is =g to an abstraction of 
the form (x) r?[0], for some x,rj. The hypothesis of the lemma implies that rj = x.) □ 

As hinted above, the key step is the definition of the formula below, which is the 
characteristic formula of simple ambient abstractions. 



def 

TestComm = 


lcomm 






A lcomm t> □(2commV lambO) 


(3.3) 




A lcomm ► O n[0] 


(3.4) 




A lcomm ► O m[0] 


(3.5) 


where n, m are different names. 







Lemma 3.13. P (= TestComm iff P is a simple ambient abstraction and is closed. 

Proof. The implication from right to left is easy. We consider the opposite. 

Process P must be an I/O, since P \= lcomm. Also, P cannot be a message, otherwise 
it would not satisfy the formula 

lcomm > □(2comm V lambO) 

since a message in parallel with (x) can reduce to 0, which does not satisfy 2comm V lambO. 

We conclude that P should be an abstraction, say (x) Q. Now, from (|3.3|) and (|3.4|) . 
we get that there are messages p, q such that 

M | (a?) Q |= □(2comm V lambO) 
{q} \(x)Q\=0 n[0] 

From Lemma 13.111 we infer that (x) Q is an ambient abstraction. Moreover, by (|3.4jl . (|3.5|l 

and Lemma T3. 121 (x) Q must be simple. □ 
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Now we are finally in the position of defining the characteristic formula for a message 



ft 



dcf 



r n i = TestComm > O n[0] 
A lcomm 



and, then, the characteristic formula for a message is 



lmess = 3 x . fti 



Lemma 3.14. P \= fti n \ iff P = {n}, and P \= lmess iff P = {n} for some n. 

Proof. The right to left direction is easy. For the converse, we observe that P must be 
an I/O, and that P cannot be an abstraction (otherwise, when adding a process satisfying 
TestComm, we could not obtain an ambient). Hence P = {m}, for some m. 
Given a simple ambient abstraction Q, we have that 

Q | {m} \= O n[0] iff m = n . 

This allows us to deduce that P = {n}. □ 

We can now define the two modalities for the input connective: 



((?n)).A d = lcomm A (-. 3 x . T {x} ) A (F^y r> O A) 

fin]. A = ((?n».T A ^{{?n)).^A 

, . def 

1 input = 



3x. ((?x)).T 



Lemma 3.15. 

• P \= ((In)). A iff there are P',P" such that P = (x)P', (x)P' \ {n}^P" , and 
P" |= A. 

• P (= \ln\.A iff there is P' with P = (x)P', and for all P" such that (x)P' \ 
{n}^P", P" (= A. 



4. Other intensional properties 

As we have just seen, AL can capture several syntactical constructions of the calcu- 
lus. We now further explore the expressiveness of AL, going beyond the results we have 
established about capabilities and communications. 

We first define a formula (f>fi n that characterises finite terms, using a form of contextual 
reasoning. The same method is applied to derive a formula ©n that characterises the terms 
containing n as a free name. We then introduce formulas that characterise in a restricted 
sense persistent single terms of the calculus. These formulas will be used in Sectional to 
establish characteristic formulas for a sub-calculus of MA. 
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4.1. Capturing finiteness. We now present a formula that is satisfied by all and only 
the finite processes. Detecting replication seems a priori unfeasible in the present version 
of AL, as it does not provide a recursion operator. We capture the 'finite' character of a 
term using the fact that a replicated process is persistent, i.e., it is always present along the 
reductions of a term. 

The characterisation of finiteness relies on the existence of a scenario which guarantees 
reachability of 0, as expressed by the two following lemmas: 

Lemma 4.1. Let P,Q be two terms such that P=>Q. Then P is finite iff Q is finite. 

Proof. By induction over the length of the ==> derivation, then induction over the structure 
of the proof of the — > transition. □ 

Lemma 4.2. P is finite iff there are Q, R, n such that n[P \ Q] \ R =^ 0. 

Proof. 

• Let us first assume that P is finite. We prove by induction on the size of P that there 
exist Q and R such that for any P', 

n[P | P' | Q] | R => n[P'} 

The left to right implication can then be obtained using this property with P' = and 
adding open n in parallel with R. 

1 For P = 0, take Q = R = 0. 

2 For P = m[Pi], we have by induction Qi, Pi such that n[P\ \ P' \ Q\] \ R\ =>n[P'] 
for any P'. Now we set Q = open m \ Qi and R = R\. Then it is clear that 
n[m[Pi] | P' | Q] | R => n[P'] for any P' . 

3 For P = P± | ... | P r (with no replicated component), we use the induction 
hypothesis to obtain Qi and R{, and then set Q = Q\ \ . . . | Q r , R = R\ \ . . . \ R r 
such that for any P', 

n[P | P' | Q] | R n[P 2 \ . . . | P r \ P' \ Q 2 \ ■ ■ ■ \ Q r ] \ R 2 ]■■■] R r 

n [p>] 

reasoning inductively on r. 

4 For P = cap. Pi, we use the induction hypothesis to get Qi and Pi, and we define 
Q and P according to the shape of cap as follows: 

- cap = in m. Then we set Q = Qi and P = m[0] | open m \ R\. Then for any 
P': 

n[P | P' | Q) | P — > m[n[Pi | P' \ Q}] | open m | P x 

— > n[Pi [ P' I Qi] I Pi 
n[P'] 

- cap = out m. We set Q = in m | Qi and P = m[0] | open m \ Pi, so that we 
can conclude. 

- cap = open m. We set Q = m[0] \ Q\ and P = Pi. 

• For P = {m}, we set Q = (x)0, and P = 0. 

• For P = (x)Pi: by induction hypothesis applied to Pi{n/x}, we get Q\ and Pi; 
then we set Q = {n} \ Qi and P = Pi. 

The first implication is thus established. 
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• Let us now assume P is not finite. Then for any n, Q, R, n[P \ Q] \ R is also infinite, and 
by the previous lemma, it is also the case for any of its reducts, and hence it cannot reduce 
to 0. □ 

We can now define: 



fin = 3x. ( T ► (T ► O0)@x ) 



Theorem 4.3. For any P, P \= <p^ n iff P is finite. 

Proof. Prom Definition 12.31 P \= 0g n holds if there are n, Q, R such that n[P \ Q] \ R=^0. 
We then conclude with Lemma 14.21 □ 



4.2. Formula for name occurrence. Our aim is now to define a formula corresponding 
to the connective ©n, defined by: 

P (= ©n iff n £ fn(P) . 

For this, we exploit Lemma 14.41 together with the ability, using the formulas for capa- 
bilities, to detect unguarded occurrences of names. 

We say that a process P is flat if it has no inputs and the only process underneath all 
capabilities, and inside all ambients of P is 0. We say that a process P has an occurrence 
of name n at top level if P = cap. P' \ P" with cap = in n, out n or open n, P = n[P'] | P" 
or P = {n} | P'. 

For the proof of the next lemma, we would also need a more general notion. The 
occurrence depth of a name n in an open term is given by a function depth n : V — >NU {oo}, 
stable by =e, inductively defined as follows: 

- depth,„(0) = oo. 

- depth n (n[Pi]) = 0, and for n / r], depth n (r][Pi]) = depth ra Pi + 1. 

- depth„((!)Pi | ... | (OP) = mini<j< r depth n (p) (here (l)Q stands for Q or \Q). 
J for cap € {in n, out n, open n}, 
ldepth n (P) + 1 otherwise. 

- depth„((:c)P) = depth^J,^ P) + 1, where \p P stands for the smallest term such 
that P =/3 l p P 

- depth„({ra}) = and depth n ({ry}) = oo for r/ ^ n. 

Lemma 4.4. For all P, n, we have n G fn(P) iff for any name m, there exist some flat 
processes Q, R, in which n does not occur free, and a process S with an occurrence of n at 
top level such that m[P \ Q] \ R => m[S]. 

Proof. Note that the property of S having an occurrence of n at top level is equivalent to 
depth n (5) = 0. We are now ready to prove the lemma: 

• We first consider the implication from left to right. Let us assume that depth n (P) 
is finite. We consider a name m, and prove by induction on depth n (P) that there 
exist Q,R, S satisfying the conditions of the lemma. 
- if depth n (P) = 0, we take Q = R = and S = P. 



depth n (cap. P) 
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— if depth„(P) = i + 1, we first consider the case where P = in m\. P\ \ P2 with 
depth n (Pi) = i. By induction hypothesis, there are Qi,Ri, Si and m satisfying 
the conditions of the lemma for Pi j P2. We then can set for P: Q = Qi, 
R = mi[0] I open m\ \ R\ and S = S% \ P2, then Q,R,S can be chosen for 
P. 

The other cases are treated similarly: we define processes that allow us to 
trigger a capability in order to decrease the occurrence depth of n in the term. 
The definition of these processes follows the ideas in the proof of Lemma 14.21 
The first implication is proved. 
• For the implication from right to left, we assume that n fn(P). We consider m 7^ n, 
and some Q,R as in the statement of the lemma. Then n fn(m[P | Q] \ R), so 
that for any T such that m[P | Q] \ R ==> T, n fn(T). □ 

We can now define the formula ©n to capture the set of free names of a process, 
together with the two auxiliary formulas flat and © 1 n needed in the definition of ©n. 
These formulas are given in Tabic 01 



flat = (3x. [inxj.0 V [outx].0 V [openxj.0 Vx[0] V F {x} Y 
© 1 n = (((in n)).T V ((outn».T V ((open n)).T V n[T] V P {n} ) | T 
©n d = Vx. (flat A ^© 1 n) ► ( (flat A ^© x n) ► O xf© 1 ^ )@x 



Table 4: Formulas for free names 

Formula ©n detects whether name n occurs in a process, while © x n detects whether 
n occurs at top level (i.e. P satisfies this formula iff depth„(P) = 0). 

Theorem 4.5 (Name occurrence). P |= ©n iff n € fn(P). 

Proof. Consequence of the previous lemma. □ 



4.3. Formulas for persistence. We now move to the definition of formulas that char- 
acterise persistence, which is given by the replication operator in MA. In other words, we 
investigate the possibility of defining formulas I A that detect replicated term IP such that P 
satisfies A. However, we cannot hope to define arbitrary formulas with precisely this prop- 
erty. First, the form IP is too restrictive: as P=lQ implies \P=l,\P \ Q (see |HLSf)5j ). a 
formula IA would not distinguish between a uniquely replicated process IP, and a replicated 
process "with admissible garbage" !P | Q or IP \ \Q. Second, if we want to express that the 
process holds something replicated, one has to reject formulas satisfied by the process 0. 

We hence restrict our attention to the case of formulas A whose models are single 
processes only. For these formulas, IA characterizes replicated processes, in the sense that 

P UM ~ q P p , / l)P^!Pi|(!)P 2 |...i(!) J Pn 
P|=U & 3P 1 ,...,P n s.t. j 2)ViGl _ nj p . hA 

where (!) denotes an optional replication. In the sequel, we show how to define the formula 
\A when A characterizes a guarded process and has some extra conditions. For the purpose 
of defining characteristic formulas, this will be sufficient. However, it remains an open 
question how to define \A on a larger language. 
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Rep in n (A) 


def 


A w A Vm. (-i©m) -> 
([out n].0) w r> ( n[0] [> DO ( n[m[.4 | 


T]] ))@m 


Re Pout n iA) 


dcf 


A Vm. (-i©m) -> 
([in n].0) w r> ( n[0] > □ 0( m[A | T] 


n[0] ))@m 


Re Popen n(A) 


dcf 


A u A (n[0]) w > □ ( A | T ) 






dcf 


{n[A\Y A ([open nj.0) w > □ ( n[A] \ 


T) 




dcf 


T {n f A TestComm^ D> □ ( T {n} | T ) 






dcf 


A° A lmess^ > □ ( A | T ) 





Table 5: Formulas for persistent single terms 



The definition of \A has two parts. The first part says that if P \= IA then all parallel 
components in P that are single and at top level satisfy A. This is expressed by the formula 
A u . The second part of the definition of \A addresses persistence, by saying that there are 
infinitely many processes at top level that satisfy A in the sense that we may not consume 
all copies by some finite sequence of reduction. Definitions are given in Table |SJ there is 
one formula for each possible topmost constructor (recall that we are considering a single 
process). 

Formula ^F\i n \ is actually a characteristic formula, since it is satisfied only by the process 
!{n}. For this reason, we anticipate the notation Tp of the characteristic formula of P (see 
Section |SJ). For the other formulas, we express the replication of a process satisfying A; the 
interpretation of these formulas hence relies on the actual meaning of A. 

To illustrate the point, consider formula Rep open n (((open n)).T). This formula only 
specifies that any number of capabilities open n should be present at top-level, and thus 
holds for process !open n. 0, but also for open n. !open n. 0. On the other hand, ((open n)). T 
can be replaced by the more discriminating formula [open nj. 0: then we obtain a formula 
that only accepts process !open n. 0. 

In light of these observations, we define the following measures on terms: 

Definition 4.1 (Sequentiality degree, sd). The sequentiality degree of an open term is 
defined as follows: 

• sd(0) = 0, sd(P [ Q) = max (sd(P), sd(Q)) ; 

• sd(r][P]) = sd(!P) = sd(P); 

• sd(cap.P) = sd(P) + 1. 

• sd({ V }) = 1 and sd((x)P) = sd(|^ P) + 1 

Definition 4.2 (Depth degree). The depth degree of a process is given by a function dd 
from MA processes to natural numbers, inductively defined by: 

• dd(0) = 0, dd(cap.P) = dd((x)P) = dd({r/}) = 0; 

• dd(r/[P]) = dd(P) + 1; 

• dd((!)Pi [ ... | (!)P r ) = max 1 < J < r dd(P). 

Lemma 4.6. For any processes P and Q, P = Q implies sd(P) = sd(Q) and dd(P) = 
dd(Q). 
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Definition 4.3 (Selective and expressive formulas). A formula is sequentially (resp. depth) 
selective if all processes satisfying it have the same sequentiality (resp. depth) degree. 

For any capability cap (resp. name n) and formula A, A is cap-expressive (resp. in- 
expressive, input-expressive) if all terms satisfying it are of the form cap. P (resp. n[P],(x)P). 

Example 1. ((in n)).n[0] is in n-expressive but not sequentially selective: it admits both 
in n.n[0] and in n. (n[0] | open n.n[0]) as models. On the other hand, [in n].n[0] is both 
sequentially selective and in n-expressive. As we will see below ( Subsection 15.2(1 . the com- 
bination of ((cap)) and [cap] modalities allows us to define sequentially selective formulas. 

These two forms of selectivity are useful for the characterisation of persistence. Indeed, 
the sequentiality (resp. depth) degree of a single prefixed (resp. ambient) term is strictly 
decreasing when consuming the prefix (resp. opening the ambient). This property is needed 
in order to detect the presence of replication at top-level in a process, and interpret the 
formulas introduced above. 

Lemma 4.4. Let P, Q be two terms of MA. If P — > Q or P A Q for some /i, then 
sd(P) > sd(Q). 

Proof. The property for A follows from the definition of sd(-P). For P — >Q, one reasons 
by induction and case analysis (using Lemma l2.3j) . □ 

Corollary 4.5. For all cap, if P ^ Q, then sd(P) > sd(Q). 
In the sequel, Hi<i<tQi abbreviates Qi \ ■ ■ ■ \ Qt- 

Lemma 4.7 (Characterisation of replication of single processes). 

(1) Given a capability cap, and a sequentially selective and cap-expressive formula A, 
define 

\A = Re Pcap (^l). 

Then P \= \A iff there are r > 1, s > r, Pi (1 < i < s) such that 
P = IIi<j< r !cap. P{ | n r _|_i<j< s cap. Pj and cap. Pi \= A foralll<i<s. 

(2) For any name n and depth selective and n-expressive formula A, define 

\A ^ Re Pn[] (A). 
Then P \= \A iff there are r > 1, s > r, Pi (1 < i < s) such that 
P = ni<j< r !n[Pj] | n r+ i<j< s n[Pj] and n[Pi] \= A for all 1 < i < s. 

(3) For any formula A that is sequentially selective and input expressive, define 

M = Re P inp uM). 
Then P \= \A iff there are r > 1, s > r, Pi (1 < i < s) such that 
P = IIi<j< r !(2;)Pj | n r+ i<j< s (x)Pj and (x)Pi \= A for all 1 < i < s. 
Proof. Let us examine some cases: 

Case 1, cap = in n. Assume there exist some terms Pi,...,P s satisfying the condition 
expressed in 1. Then the first part of \A is satisfied, i.e. P (= A^ . 

To establish the second part, we have to show that for any Q = out n u (where u € 
N* U {oo}), any fresh name m, and any term R such that m[P \ Q] \ n[0] R, there 
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is a further reduction R=>n[m[Ri \ R2]] for some R\,R2 such that Ri \= A, which 
entails in particular Ri = in n.R^. Since ambient n does not contain any active process, 
and since there is no active process at top-level in m[P | Q] \ n[0], ambient n remains 
at top-level in all evolutions of this term. Moreover, we have that m is fresh for P and 
Q; therefore, no ambient may get out of m, so for any reduct R, there exists R' such 

that either (i) R = m[R'\ | n[0], and P \ Q (i " n) *> R', or (ii) R = n[m[R% 

and P I Q in ra > = £g: ut "' in ") ^ j^i j n g rg |- cas6) because of the shape of P, we may 
perform one more step of reduction to reach a situation like (ii), and then, since P 
q in n ) = ( out ">'" g)—^ ^ there exists R" such that P' = Wnn.Pi \ R". The first implication 
is thus proved. 

Conversely, let us assume that P \= Rep in n (A). Then according to the first part 
of the formula, there exist some Pj's satisfying P = (!)in n.P\ \ ... | (!)in n. P r and 
in n. Pi \= A. Suppose now by absurd that no component is replicated. We exploit the 
sequential selectivity hypothesis to obtain a contradiction. Indeed, we have the reduction 
m[P I (out n) r ] I n[0] ==^ R = n[m[Pi \ . . . \ P r ]] and R is a term whose sequentiality 
degree is strictly smaller than sd(-P). Then it is also the case for any of its reducts, and 
therefore the same reasoning holds for any R\,R2 such that R n[m[in n.R\ \ -R2]]) 
in n.R\ has a sequentiality degree too small to satisfy A because of sequential selectivity. 
Thus, P cannot satisfy Rep jn n (A), and we obtain a contradiction. Hence, at least one of 
the Pj's is replicated, and the reverse implication is proved. 

The proofs for Case 1, other capabilities, and Case 3 follow from similar arguments. 

Case 2. Assume that P = !n[Pi] | . . . | (l)n[P r ], with the Pi's such that P |= A. Then 
P satisfies Rep n ^(^4) iff for any Q = open n 1 ^, and any R such that P | Q=^P, there are 
Pij's such that R = n[Ri] \ R2 with n[Ri] \= A. Since for any R, R = !n[Pi] | R', the first 
implication is established. 

Conversely, suppose P satisfies Rep n j](^l). Then P = (!)n[Pi] | . . . | (!)n[P r ]. Moreover, 
if no Pj is replicated, P | !open n ==? P\ \ . . . \ P r \ !open n, and if in some Pi there are 
Pjj (j = 1,2) such that Pj = nfP^i] | P^, then the depth degree of P^i is too small for 
nfP^i] to satisfy A, which gives us the second implication. □ 

The formulas for persistence, together with the constructions of Section will be used 
to derive characteristic formulas with respect to =l for a sub-calculus of MA in Sectional 

5. Characteristic formulas 

In this section we establish the existence of characteristic formulas for a large class of 
processes. Given a process P, a characteristic formula for P is a formula Tp such that: 

VQ. Q (= T P iff Q= L P, 

where =l is logical equivalence (i.e., P=lQ iff P and Q satisfy the same formulas). 

The definability of characteristic formulas is an interesting property, though for now 
only a purely theoretical result. The effectiveness and efficiency of the construction of 
characteristic formula are beyond the scope of this paper, though we strongly believe that 
our definition gives an algorithm for constructing formulas on the semi-decidable fragment 
MAjp. Having such constructive characteristic formulas, would have some practical impact, 
since we could relate the logical equivalence and model-checking problem to the validity 
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problem. Interestingly, we may also recall that validity reduces to model-checking the other 
way round when the spatial logic considered has the guarantee (>) connective. 

To be able to carry out our programme, we have first to understand what =l represents. 
For this, we use a co-inductive characterisation of =l, as a form of labelled bisimilarity. 
Then, making an intensive use of the formulas for the connectives of the calculus previously 
defined, we derive the characteristic formulas. 

5.1. Intensional bisimilarity. 

Note for this subsection only. The results presented in this subsection have appeared pre- 
viously in [SanOH 1HLS02) and therefore are not a contribution of the present paper. Their 
complete proofs, which are rather long and complex, can be found in a companion pa- 
per |HLS05| . We will use the notion of intensional bisimilarity and all the properties that 
are recalled in this subsection only in the proof about characteristic formulas for AL (The- 
orem ESI); which is one of our main expressiveness results. 

We use the labelled transitions ( Definition 12 .2|) to define a notion of intensional bisim- 
ilarity in order to capture =£. 

Definition 5.1. Intensional bisimilarity is the largest symmetric relation ~i nt on closed 
processes such that P ~j nt Q implies: 

(1) If P = Pi | Pi then there are Q\,Q2 such that Q = Q\ \ Q2 and Pi ~ int Qi, for 
i = l,2. 

(2) If P = then Q = 0. 

(3) If P — ► P' then there is Q' such that Q => Q' and P' ~ int Q' . 

(4) If P '™ P> then there is Q' such that Q ^ (out n ' in nY > Q' and P' ~ int Q'. 

(5) if P °^ P> then there is Q' such that Q (in n '° ut n) * ) >Q' and P' ~ int Q>. 

(6) If P P' then there is Q' such that Q Q' and P' ~ int Q'. 

(7) If P H P' then there is Q' such that Q Q Q' and P' ~ int Q' . 

(8) If P P' then there is Q' such that Q \ {n} =^ Q' and P' ~ int Q'. 

(9) If P = n[P'] then there is Q' such that Q = n[Q'} and P' ~ int Q' . 

The definition of ~; n t has (at least) two intensional clauses, namely (^Q) and @, which 
allow us to observe parallel compositions and the terminated process. These clauses corre- 
spond to the intensional connectives '|' and '0' of the logic. The clause (jSJ) for abstraction is 
similar to the input clause of bisimilarity in asynchronous message-passing calculi ACS98 . 
This is the case because communication in MA is asynchronous. Another consequence 
of this is that the logic is insensitive to the following rewrite rule (modulo associativity- 
commutativity of |): 

(x)({x} I (x)P) — > v (x)P. 

This rule induces a notion of normal form of processes, that we shall call the eta-normalised 
form. 

Definition 5.2 (Eta-equivalence). We will note P =e Q if the normal forms of P and Q 
for — > v are related by =. 

Lemma 5.1 ( HLS02, HLS05 ). For any closed process P,Q in MA, P =e Q implies 

P — int Q- 
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By Theorem 15.21 below, this result says that the logic is insensitive to — > v - We shall 
thus reason using normalised processes with respect to — ►„ in the proof of Theorem 15.51 

The most peculiar aspect of the definition of ~ int is the use of the stuttering relations. 
Although they can be avoided on finite processes, they cannot in the full calculus. By con- 
trast, stuttering does not show up in Safe Ambients jLSiQOj , where movements are achieved 
by means of synchronisations involving a capability and a co- capability. 

We now state some results about ~i nt that are proved in |HLS021 IHL S05 . 

Theorem 5.2. For any P, Q, P ~; nt Q implies P=lQ- 

The latter result establishes correctness of ~j nt with respect to =l- Given a process P, 
we try and characterise the equivalence class of P with respect to ~i n t with a formula J- p. 
The definability of such a formula will actually entail that =l Q — int (completeness), and 
hence that Tp actually characterises the =£-equivalence class of P. 

We now mention a useful induction principle that allows us to reason 'almost inductively ' 
on the structure of a process when checking relation ~ ; nt . This principle is given by the 
following inductive order: 

Definition 5.3. We write P > Q if either sd(P) > sd(Q) or Q is a sub-term of P. 

This order allows us, using the following result, to derive an inductive characterisation 
of ~ int jHLSn2llHLS7i5] . 

Proposition 5.3. Let P,P\,P2,Q be processes of MA. Then 

(1) ~ int QiffQ = 0. 

(2) n[P] ~ int Q iff there exists Q' such that Q = n[Q'] and P ~; n t Q' . 

(3) P\ | P2 =±int Q iff there exist Qi,Q2 such that Q = Qi \ Q2 and Pi ~i nt Qi for 
i = l,2. 

(4) \P ~i n t Q iff there exist r > 1, s > r,Qi (1 < i < s) such that P ~i nt Qi for 
i = l...s, and Q = ni<j< r !Qj [ U r+ i<i< s Qi. 

(5) cap.P ~ int Q iff there exists Q' such that Q = cap.Q' with P ~i nt Q' and 

Q> ^ ^ P. 

(6) {n} ^ QiffQ = {n}. 

(7) (x)P ~ int Q iff there exists P' , Q', Q" and n fn(P) U fn(Q) such that Q = (x)Q' , 
Q I M^Q", 1/3 P{ n /x} ~int Q", (x)P I {n}^P' and P< ~ int Q'{n/x}. 

5.2. The sub-calculus MArp. As we mentioned above, characteristic formulas and com- 
pleteness for an algebraic characterisation of logical equivalence are two related problems. 
In fact, the existence of characteristic formulas is a stronger result than completeness of 
~i nt with respect to =l- while we establish completeness in |HLS05| on the whole calculus, 
we are only able to derive characteristic formulas on a sub-calculus of MA. To introduce the 
necessity of restricting the class of processes we consider, and to illustrate the basic ideas 
behind the construction of characteristic formulas, we examine some examples. 

Example 2. We introduce the following processes: P\ = !open n.n[0], P2 = open n \ n[0], 
P3 = !open n. P2, and P4 = open n. P2. 

A characteristic formula for Pi is easy to define since the continuation term n[0] has 
no reducts. Hence the formula [open n].n[0], using a formula for necessity, satisfies the 
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conditions of Lemma 14.71 and a characteristic formula for P\ is 

T\ A = ![open n].n[0]. 

In order to define a characteristic formula for P3, we first look for a characteristic formula 
for P 2 . We can set 

T 2 = f [open nj.O \ n[0] . 
J~2 is indeed a characteristic formula for P 2 . However, [open n]. J- 2 is not a characteristic 
formula for P4, nor for P3. The reason is that the continuation process (P 2 ) is not static, 
as it may reduce to 0. Hence [open n\.T 2 does not satisfy the conditions of Lemma H~7l so 
that we need to add the possibility to reduce to 0, yielding the formula [open re]. [T 2 V 0). 
But then we also accept the term open n. 0, which shows why we are led to add a possibility 
condition to the formula, and we finally define the following characteristic formula for P3: 

^3 = Re Popen „«(open n)).F 2 A [open re]. {T 2 V 0)). 

We see on this example that characterising the continuation of a process starting with 
a capability or an input requires to enumerate also all the possible reducts after consuming 
the topmost constructor. Therefore, the definition of characteristic formulas relies on the 
actual feasibility of such an enumeration, which leads us to the definition of a subclass of 
MA processes. 

In the definition below, we use the following notation: given a set S of processes, 
5/~ tat will stand for the quotient of S with respect to ~; n t (which is, technically, a set of 
~int-equivalence classes of processes). 

Definition 5.4 (Sub-calculus MAjp). A process P is image-finite iff any sub-term of P 

of the form cap. P' (resp. (x)P r ) is such that the set {P" : P' P"}/~ int (resp. 

{P" : P'{n/x} P"}/~ int , for some n fn(P)) is finite. 
MAjf is the set of image-finite MA processes. 

MAip is only a semi-decidable fragment of MA. A stronger restriction is considered in 
HLS05, whose definition involves decidable syntactic conditions. We however stick to this 
larger fragment for the sake of generality. 

For example, process in n. !(n[0] [ open n. 0) is in MAtf, but in n. !(n[0] | open n. a[0]) 
is not. 

To construct a characteristic formula Tp for a closed MAjp process P, we can suppose 
(up to =e) that replication only appears above single terms and that P is eta normalised. We 
then define the characteristic formula J-p of P by induction using the order of Definition 15. 31 
(this defines a valid induction by Lemma l4.4ft . The defining formulas are given in Table El 
Two technical remarks should be made regarding the definition of T^p. First, in the 
disjunction over the quotiented set {P' : P{ n x/x}^^>P'} /~ int , it is intended that we pick 
a representative in each equivalence class. Second, to avoid reasoning about processes 
containing free variables (characteristic formulas are defined only for closed processes), we 
introduce the auxiliary name n x , that is used as a placeholder for x, to be replaced by x again 
once the characteristic formula of process P' has been computed (see the defining clause of 
F(x)p)- So Fpi{ x /nx\ is a slight abuse of notation that denotes the operation consisting of 
(i) alpha-converting Tpi so that no bound variable is named x, and (ii) textually replacing 
n x with x in the resulting formula. 
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def 







Fp\Q 


def 


•^P -^Q 




Fn\P] 


def 






-Pcap.P 


def 


((cap)). JF P A [ca 


*iv { p,, P mp> } ,„_J p ' 


F\n{P] 


dcf 


Re Vn[](^P) 




•Plcap.P 


def 


Re Pcap(^"cap.p) 




F{x)P 


clef 
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.T P A 






£ fn(P)) 








(1 input A -i(g 
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V V{P' : P{ n;c / a: }= 


^P'}/~ lnt ^P'^Mj 


F{n} 


clef 


cf. Lemma 13.141 




dcf 


cf. Table U 


F\{x)P = Re Pinput( :F {x)p) 



Table 6: Characteristic formulas in MAjf 



Theorem 5.5 (Characteristic formulas for MAjp). For any closed term P, define J-p ac- 
cording to Table El Then 

Q h T P iff P ~ int Q. 

Proof. The proof is by induction, using the order of Definition 15.31 

• J-q characterises 0: this holds by Proposition 15.31 

• J~{ n \ characterises {n} and J-\i n \ characterises !{n}: by Lemma 13.141 Lemma |4.7I 
and Proposition 15.31 

• if Tp characterises P, then P n [pj characterises n[P\: by Proposition 15.31 

• if J 7 p 1 characterises Pi and Tp 2 characterises P2, then J T p 1 \p 2 characterises Pi \ P2' 
by Proposition 15.31 

• Suppose now that for every P' such that sd(P') < sd(P), J- pi is a characteristic 
formula for P'. We then have: 

— -Pcap.p characterises cap. P. 

By Lemma IOI sd(P') < sd(P) for any P' such that P ^$ P', so P> is a 
characteristic formula for such processes. We examine each of the two impli- 
cations. In one direction, cap.P (= {(cap)). J-p, and by Lemma 13.81 cap. P |= 
[cap].V , <c ap > J T p>, so cap. P (= P C a P .p- Conversely, if Q \= P>, then 

^ 1 -•/— int 

from Q \= ((cap)). Fp we deduce the existence of Q', Q" such that Q = cap. Q', 
Q 1 { =^> Q", and Q" (= P>. Moreover, from Q (= [cap]. V <ca P > Pp', 

*■ ' '/— int 

we deduce that there is P' such that P =S- P' and Q' (= Pp/, so Q' ~j nt P', 
and by Proposition 15.31 Q ~j nt cap. P. 

— J 7 i x )p characterises (x)P. 

We first prove that (x)P \= J r ( x )p- We pick no fresh for P. We can apply 
the induction hypothesis for P{ n o/x} and for all of its reducts P' . Then the 
implication from right to left follows from Lemma 13.151 

For the other direction, let Q be such that Q (= Tu^p. We assume first that Q 
is eta normalised. Let no be a name that can be used to satisfy formula J-t x )p. 
Then no fn(Q), and there are Q', Q" such that Q = (x)Q' , {no} | (x)Q'=>Q", 
and Q" \= Fpmo/x}-) that is, by hypothesis, Q" ~j nt P{ n o/x}. Moreover, since Q 
is eta normalised, Q'{ n o/x} is not of the form {no} | (x)R with no fn((x)P), 
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and hence this process does not satisfy the formula (J" {no} I (1 input A _, ©no)). 
Therefore, there exists P' such that P{na/ x }^P' and Q'{ n o/x} \= T P <, that is, 
by induction, Q'{ n o/x} ~i nt P' . Using Proposition 15.31 we deduce Q ~ int (x)P. 
We consider now the case when Q is not eta normalised. Let Qq be the eta 
normal form of Q. Then by Lemma 15.11 and Theorem 15.21 Q=lQo- Since by 
hypothesis Q \= T( x )p, Qo \= J 7 ( x )p and by the previous arguments, (x)P ~i nt 
Qq. Finally, by Lemma l5~H (x)P ~ int Q. 
— -^Icap.p characterises !cap.P and Fy^p characterises \{x)P: these results follow 
from the replication case in Proposition l5.3l and from Lemma l4,7l In particular, 
the requirements in terms of sequential (or depth) selectiveness, and cap (or 
n, input) expressiveness are satisfied because the formulas we are using in 
our constructions are characteristic formulas, which, by induction, satisfy such 
requirements. □ 

Corollary 5.4. On the sub-calculus MA\p, we have ~i n t = =l- 
For any closed processes P and Q of MA\-p, we have 

Q (= T P iff P=lQ- □ 



6. Extensions of the calculus 

In this section, we study extensions of MA with different forms of communication: we 
first examine the possibility to emit capabilities (in addition to names) in messages, and 
then consider synchronous communication. We only show how to capture the modifications 
brought to the language, without porting all the constructions seen in the previous sections. 
We however believe that our approach would go through without any major modification. 

We start by pointing out that Lemmas I3.5l3.7l3~6l about the interpretation of formulas 
((cap)). A hold in the extensions we consider, since their proofs are insensitive to the presence 
of communication in the calculus. 

6.1. Capabilities in messages. In the original MA calculus CG98a,, messages can also 
carry paths of capabilities. To accommodate this in the grammar of Tabled all occurrences 
of r] are replaced by M, and the path productions 

M ::= cap | M X .M 2 | e, 

are added to those for expressions, where e stands for the empty path. Thus a capability 
can be a path, such as open n. in m. open h. Also, the rules 

e.P = P (M 1 .M 2 ).P = M 1 .M 2 .P 

are added to those of =. Since messages can now carry names or capabilities, a type 
system is introduced |CG 99 to avoid run-time errors. We shall assume that all processes 
are well- typed (according to the basic Ambient types), which means in particular that in 
the interpretation of a formula of the form A>B, processes that are added in parallel are 
of the right type. Moreover, we will say that the argument of an abstraction (x)P is of 
capability type whenever the typing ensures that capabilities, and not names, can be sent 
to instantiate x. 
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Our main focus will be on the characterisation of these new forms of messages. For this, 
we need a formula TestCap, the analogous of the formula TestComm of Section satisfied 
by all abstractions that are eta-congruent to (x) m[x. 0], where m is some fixed name. 

We also need a formula <\M\j, for any closed capability M, that identifies those processes 
that are structurally congruent to M. 0. We first discuss an example, namely the formula 
(|in n. open m\). For this, ((in n}). ((open m)).0 is not enough: this formula is satisfied by 
inn. open m.O but also, for instance, by processes such as inn. ({M} | (x) openm), which 
has some additional I/O, or in n. out n. in n. open m. 0, which stutters. A formula J- for 
(|in n. open m|) could thus be (the actual definition of din n. open m\j will be different; the 
formula below is easier to read and semantically equivalent): 

T = f ((in n}). ((open m)).0 
A -i ((in n)).^lcomp 
A -.((inn)).((outn)).T 
A -i ((in n}). ((open m)).-i0 
In the definition of the second, third and fourth conjuncts take care of the problems 
with I/O and stuttering mentioned above. 

Here is the complete definition of ()M|) for any path M: 



dopen n. M\ 


def 


((open n))4M\) 






A -i((open n}). (-ilcomp V lamb) 


flout n.MJ) 


def 


((out n». m 






A -i((out n)). (ilcomp V lamb) 






A -.((out n)).((in n)). ((out n)).(\M\) 


din n. M) 


clef 


((in n))4M) 






A -.((in n)). (ilcomp V lamb) 






A -.((in n)).((out n}). ((in n)).<\M\, 


de.M} 


def 


m 


m 


def 








In the definition of (|MD, sub-formula -.IcompVlamb is used to control process reductions, 
see Lemma 16. II 

We now define TestCap: 





def t 


TestCap 


= lcomm 




A lcomm r> □(2comm V m[lcomp]) 




A lcomm ► O m[(|innD] 




A lcomm ► O m[0] 


where (n, 


m) is any pair of different names. 
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The correctness of this definition is proved along the lines of that of TestComm. The formula 
F{M}-> where M is any closed capability, is then 



JF{ M | = lcomm A (TestCap D> O m[(]MD] 



We now give the key steps that allow us to derive the interpretation of the formulas 
presented above. 

Lemma 6.1. Suppose P — ► P' . Then P \= ilcomp V lamb. □ 

Lemma 6.2. Suppose M,P are closed. Then P \= <\M\j iff P = M.O. 

Proof. By induction on the size of M. If the size is then M = and the result follows 
easily. For the inductive case, we proceed by a case analysis. 

• M = inn. N. We have P \= ((in n)). t\M\), therefore by Lemma 13771 P = \nn.P' for 

some P' such that P' (in j^M^ P" and P" \= <\M]j. 

However P' cannot stutter, otherwise P \= ((in n)). ((out n}). ((in n)). d-M|). Also, 
it cannot be P' — > P'" ==> P" otherwise by Lemma 16. II P' \= -ilcomp V lamb, hence 
P \= ((in n)). (-ilcomp V lamb). 

• M = inn. N: similar. 

• M = open n. N: similar (without any stuttering phenomenon). 

• M = e. N . In this case, we also have P \= fliVD, hence by induction P = N, hence 
P = M. □ 

We now adapt the notion of ambient abstraction, introduced in Section in order to 
define a class of processes that will be used to give the interpretation of formula TestCap. 

Definition 6.1 (ambient abstraction and ambient semi-abstraction). The ambient abstrac- 
tions are the subset of processes defined by the following grammar: 

P ::= (x) m[x.O] | (x) ({N} \ P) . 

The ambient semi- abstractions are the subset of processes defined by the following grammar: 

P ::= (s) m[Q) | (x) ({N} \ P) 

where Q is single. 

Lemma 6.3. Given an abstraction (x)R whose argument is of capability type and R contains 
no abstractions, suppose there are messages M,N and substitutions {^/z},{^'/z} such that 

{M} | (x) (R{L/Z}) (= □(2comm Vmflcomp]) 

and _ 

{A^} | (x) (R{ L 'fi}) h O m[lcomp]. 
Then (x) R is an ambient semi- abstraction (i.e., R = m[P] where P is single). □ 



ON THE EXPRESSIVENESS OF THE AMBIENT LOGIC 



2!) 



Lemma 6.4. Given an abstraction (x) R whose argument is of capability type, 
suppose there are messages M,N and substitutions {^/z}, {L'fz} such that 

{M} | (x) (R{L/z}) \= □ (2commVm[lcomp]) 

and _ 

{N} | (x) {R{ L 'fi}) \= O m[lcomp]. 
Then (x) R is an ambient semi- abstraction. 

Proof. By induction on the number of nested abstractions in R. If this number is then 
use Lemma ESI 

Suppose the number is greater than 0. From 

{M} | (x) (R{L/z}) — > R{L/z}{ M /x} 

we derive _ 

R{ L /z}{ M /x} \= 2comm V m[lcomp] 
Since R should contain an abstraction, the formula m[lcomp] is not satisfied, hence 

R{L/z}{M/ x } (= 2comm 

Using this, the fact that R should contain an abstraction, and the other judgement in the 
hypothesis of the lemma we infer that 

R = {M'} | (y) Q 

for some M', y, Q. This information on R and the judgements in the hypothesis of the 
lemma imply: 

{M'\L/z}{M/x}} | (a;) (Q{L/z}{M/ x }) (= 0(2001^11 V m[lcomp]) 

and _ _ 

{M'{L/z}{N/ x }} I ( x ) {Q{L/I}{N/ X }) (= O m[lcomp]. 

We can now conclude, using the inductive hypothesis on Q. □ 

Lemma 6.5. Suppose {x)R is an ambient semi- abstraction, whose argument is of capability 
type, and suppose there are messages M,N and substitutions {^/z},{^'/z} such that 

{M} I (x) {R{Lfz}) |= O m[(\\n \)n] 

and 

{N} I (x) (R{L'/z}) HOm[0], 
Then (x) R is an ambient abstraction. 

Proof. By induction on the number of abstractions in R. The case when this number is 
is easy: if R ^ x. then R does not satisfy the given formulas. 

If the number of abstractions is greater than then Q = ({O} \ P), for some message 
O and process P and then we derive: 

{M} I (x) {0{L/I} I (y) P{L/^}) — > 0{Lfz}{M/ x } \ (y) P{L/^}{M /x} (= <> m ^ n ^] 

and similarly 

0{L'/z}{N/ x } I (y) P{L'/I}{ N /x} (= O m[0] 
and then we conclude using induction. □ 
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We say that an ambient abstraction P is simple if P =p (x) m[x. 0] where =p is the 
least congruence that is closed under the rule 

{M} \(x)P = P{M/x} . 

Lemma 6.6. Suppose (x) Q is an ambient abstraction, and that we have 

(x) Q (= lcomm ► O m[<\\n |)n] and (x) Q \= lcomm ► O m[0] . 

Then (x) Q is simple. 

Proof. Any ambient abstraction is equivalent with respect to =e (structural equivalence 
plus the eta law - see Definition 15, 2j) (x) m[M. 0]. □ 

Lemma 6.7. P \= TestCap iff P is a simple ambient abstraction. 

Proof. We observe that P has to be an I/O, and cannot be a message (otherwise by adding 
(x) in parallel with P we could violate the definition of TestCap). 
Hence P is an abstraction, and there are M, N such that 

{M} | P (= O m[flinn|)] A a^comm V mflcomp]) 

{N} | P (= Om[0] AD(2commVm[lconip]) 

By Lemma 16.41 P must be an ambient semi-abstraction (note that implies lcomp). Now 
Lemma 16 1 51 shows that P must be an ambient abstraction, which by Lemma l6.6l is simple. Q 



clef 



F{M\ = lcomm A TestCap > O m\ 



Lemma 6.8. P (= F {M} iff P = {M}. 



□ 



6.2. Synchronous Ambients. Since the modal logic does not talk about the I/O prim- 
itives, it is interesting to examine variations of these primitives, to see the effect on the 
equality induced by the logic. In MA communication is asynchronous: since a message has 
no continuation, no process is blocked until the message is consumed. The most natural 
variation consists in making communication synchronous. For this the production {rj} for 
messages in the grammar of MA in Table^is replaced by the production {r/}. P. Reduction 
rule Red-Corn becomes: 

Red-Corn 



{M}.Q\ (x) P — > Q \ P{ M /x} 

The communication act liberates, at the same time, both the continuation P of the abstrac- 
tion and the continuation Q of the message. We write MA sync for the resulting synchronous 
calculus. 

Synchrony leads to some important modifications in the assertions and in the proofs of 
the results in the paper. In MA sync , the eta law fails in the sense that the logic can separate 
eta equivalent terms (cf. Definition 15. 2|) . Indeed, we will define a formula (({n})).A whose 
models are processes {n}.P with P^=? \= A. Then, returning to the eta law, formula 
linput A ((({«}))• n[0])^D-i3Comp is satisfied by (x)[{x} \ (y)0), and not by (x)0, where 
by 3Comp we mean the formula IComp | IComp | IComp. 

We will focus now on the characterisation of this new form of communication. In 
asynchronous MA, our separation of messages from abstractions exploited their asymmetry: 
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abstractions, but not messages, have a continuation. In the synchronous case the asymmetry 
disappears, therefore we have to use a different route for the proof, which makes it a bit 
more involved. 

Again, the most delicate point is to find a replacement for the formula TestComm. We 
sketch how the new definition is obtained. 

• We first define a formula, OnlyCom, that is satisfied only by abstractions (x) P and 
messages {M}.P in which capability prefixes and ambients do not appear in the 
continuation P and, moreover, no sub-term of P contains more than two non-trivial 
parallel components. 

• Using OnlyCom we define a formula, ComAmb, that is satisfied only by processes 
defined as those that satisfy OnlyCom except that the innermost operator is an 
ambient 77 [a; [0]]. 

• We then define a formula that characterises the abstraction (x) /i[x[0]]; we write 
3comm for lcomm I lcomm I lcomm: 



Immh = ComAmb 

A OnlyCom > (Ch lcomm A CH 3comm) 

A OnlyCom ► O /i[n[T]] 

A OnlyCom ► O /i[m[T]] , 
where n and m are different names. 

Roughly, the first A-component implies that a process that satisfies Imm/i has an 
abstraction or a message as its outermost operator, and an ambient r/[x[0]] as the 
innermost. The second A-component, call it ensures that the process does not 
have any other operators; that is, the ambient r/[x[0]] is reached immediately after 

the initial communication. For instance, the process R = {M}. (cc) /i[x[0]] does not 
satisfy T because R \ (x)0 ==> (x)/i[x[0]] and (x)/i[x[0]] satisfies lcomm. Finally, the 
third and fourth A-components rule out the messages and the abstraction (x)x[x[0]]. 
Once we have defined formulas to capture primitives for synchronous communication, 
the other expressiveness results in the paper also hold for synchronous MA. The corre- 
sponding proofs follow closely the arguments in the previous sections. 

We now move to the formal definition and analysis of the formulas we alluded to above. 

Modifications between Lemma \3.1(A and \3. lJ\ To define a formula that captures synchronous 
outputs (Xemma l6. 14l below) . we introduce tester processes of the form (x)/i[x[0]], for a given 
name h. The logical characterisation of these (Lemma I6.13P is slightly more complicated 
than the corresponding result in the asynchronous case fLemma l3,13[) . and is based on four 
grammars describing communicating processes, that are defined as follows. 



OnlyCom = lcomm ► (□(2comm V 0) AO0) 
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To interpret formula DnlyCom, we introduce the following grammars: 
H ::={??}. | (x) | {n}. (H\H)\ (x) (H \ H) \ {rj}. H \ (x) H 
K ::=W}. V [y[0}] \ (x) V [y[0}} \ {?/}. (H \ K) \ (x) (H \ K) \ {r,'}K \ (x) K 
H* ::=H | 

K* ::={T]'}.rj[7]"[0}] \ (x) 7][r]"[0}] | {?/}. (H \ K) \ (x) (H \ K) \ {q'}K \ (x) K \ »y[r/'[0]] 
We write 

• QH for the set of terms described by H, 

• QK for those described by K, 

• QH* for those described by H* , and 

• QK* for those described by K*. 

(The grammar for K*, with respect to that for K, has the additional production for ^[r/fO]], 
and has ^[^'[O]] in place of ?/[y[0]] in the other productions.) 

Lemma 6.9. Suppose P is a AL4 sync process. P{ n /x] € QH iff P £ QH. □ 

Lemma 6.10. Suppose P is a MA sync process and P \= OnlyCom. Then P = P' for some 
P' e QH. 

Proof. Suppose Pi |= OnlyCom. Then there is a process P2 with P2 \= lcomm such that 

P l I p 2 (= (0(200111111 V0) AO 0). 

In particular, it holds that Pi | P2 \= 2comm, hence Pi |= lcomm. 

We show that if Qi, Q2 are processes that satisfy lcomm and such that 

Qi\Q 2 \= (a(2comm V0) AO 0), 

then Qi,Q 2 G QH. 

The proof is by induction on the maximal depth of Qi,Q 2 - The case when this depth 
is 1 is easy. If this depth is greater than 1, then Q\ \ Q 2 — > Q[ \ Q 2 , using the com rule, 
where Qi is the continuation of Qi. We have three cases: 

• Q[ = 0, Q' 2 = Pi I R 2 for some non-trivial R\,R 2 ; 

• the symmetric case; 

• none of Q[ and Q 2 is structurally congruent to 0. 

In the first two cases, we deduce that Pi, R 2 satisfy lcomm, and then use induction to infer 
R\,R 2 € QH. Then using the first 4 productions of the grammar, and Lemma [6.91 Qi,Q 2 € 
QH. In the third case, use induction to infer Q[, Q' 2 € QH. Hence also Qi,Q 2 £ QH, using 
the last 2 productions of the grammar and Lemma 1(191 □ 

Lemma 6.11. Suppose P is a MA syDC process, and P \= □(2commV /i[rc[0]]) A O /i[n[0]], 
where h, n are any names. Then P = P\\ P 2 with P\ G QH and P 2 € QK* . 

Proof. By induction on the size of P, where the size is the number of operators in P. The 
size cannot be or 1. If the size is 2 then P = /i[ra[0]], and P = | /i[n[0]], hence the 

def 

assertion of the lemma, for Pi = 0. 

Suppose the size if greater than 2. Call 

T = □(2commV/i[n[0]]) A O h[n[0}} 

Then 

P = Pi \ P 2 where, for i = 1, 2, we have Pj |= lcomm 
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Since P must reduce, 

Pi | ffe = {m}.Q 1 | (x)Q 2 

and 

Qi I Q 2 { TO M \=T. 

The size of Qi | Q2{ m /x} is smaller. 

It can be that Qi or Q 2 are 0, or none is (they cannot both be 0). In both cases 
we can conclude by referring to the appropriate grammar productions and by using the 
inductive hypothesis. □ 

Define now: 



ComAmb d = 3 x . ( DnlyCom ► ^□(2comm V x[n[0]]) A O x[n[0] 

A Only Com ► O x[m[0]] 
where n and m are different names. 



Lemma 6.12. Suppose P is a MA sync process, and P \= ComAmb. Then P = P' for some 
P' £ QK. 

Proof. Suppose P\ \= ComAmb. Then there is a process P2 and some h with P2 \= OnlyCom 
such that Pi [ P 2 (= □(2comm V h[n[0]]) A O h[n[0]]. By Lemma KHU1 P 2 =€ QH. By 
Lemma 16.111 Pi £ QK* . Moreover, since Pi |= lcomm, it holds that Pi ^ /i[n[0]]; from this 
and Pi |= OnlyCom ► O fr[m[0]], we deduce Pi G QK. 
Define 



, dcf , , , 

Imm h = ComAmb A 



OnlyCom > (□-> lcomm A D—\ 3comm) 

OnlyCom ► O h[n[T]] 

OnlyCom ► O /i[m[T]] 
where m 7^ n. 



Lemma 6.13. Suppose P \= Imm/i. Then P = (x) h[x[0]]. 

Proof. By Lemma 16.121 P = P' E QK. One then shows that (x) h[x[0]] satisfies Imm/i, 
whereas the other terms in QK do not (choosing the appropriate OnlyCom). d 

Now we can define the formula: 



(({n})}.A'= lcomm 



A V x . (Immx > O (x[n[0}} \ A)) 



Lemma 6.14. Suppose P is a MA sync process. It holds that P \= {({n})).A iff P = {n}.Q 
and Q Q' and Q' \= A. 

Proof. Take h fresh. Then by Lemma 16.131 

P I (2) h[x[0]] \= O (h[x[0]\ I A) ■ 
From this, and P |= lcomm, we deduce P = {m}. P', for some m, P'. We also deduce that 

P> \ h[m[0}} \= O (h[m[0]] I A) ■ 
Since h is fresh, P' cannot interact with h. Hence m = n, and moreover P' ==^\= A. □ 
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Lemma 6.15. Suppose P is a MA sjnc process. It holds that P \= ((In)). A iff P = (x) P' 



6.3. Other Extensions. 

6.3.1. Name restriction and revelation. Usually CG98a, CG99J, the syntax of MA also has 
the restriction operator. In (.'G()l . Cardelli and Gordon propose an extension of AL with 
logical connectives to describe restriction. In particular, the operator of name revelation 
allows one to derive ©n (Subsection I4.2JI . In presence of restriction in the calculus, we 
cannot adapt our construction to capture finiteness of processes, intuitively because our 
approach consists in exhibiting a context that allows a finite process to reduce to 0, which 
is not possible in general in presence of restriction. However, characteristic formulas can 
be derived, by enriching our constructions with a formula that says that a process has no 
restriction (which is definable using name revelation). 

6.3.2. Strong sometimes modality. One could consider a "strong" version of the sometimes 
(O) modality, where — ► replaces ==> in the definition of |=. This variant is easier to study, 
and less interesting in a sense. We explain the effects it would have. The only drawback 
is that with a strong version of O we could not derive the formulas of Section 0J and as 
a consequence characteristic formulas can be given for finite processes only. On the other 
hand, the formulas for capabilities and communications would become much simpler; we 
would not have to consider stuttering and eta conversions; logical equivalence would coincide 
with structural congruence. 

6.3.3. Recursion. In a different direction, a variant of MA can be considered in which a 
recursion operator is used instead of replication (see for example ILS03] ) . Recursion gives 
trees with infinite depth; this prevents us from defining the measures sd(P) and dd(P) up 
to structural congruence. Moreover, the constructions in Subsection 14.31 are based on the 
characterisation of persistence (that provides a form of 'recursion in width') of replicated 
processes. We do not think that they could be easily adapted to a calculus with recursion. 

Acknowledgments. We thank the anonymous referees for their careful reading of the paper, 
and for their comments and suggestions, which resulted in a number of improvements for 
the paper. 
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